lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 17 Jul 2007 15:39:28 +0200
From: MgpF <mf@...teoflora.com>
To: full-disclosure@...ts.grok.org.uk,  bugtraq@...urityfocus.com
Subject: [0x70xB] Open Redirector ARIANNA.LIBERO.IT


### VULNERABILITY INTERNAL IDENTIFICATION NUMBER: 0x70xB

- - - - - - - ---------------------------------------------------
DESCRIPTION
- - - - - - - ---------------------------------------------------

An XSS OPEN REDIRECTOR vulnerability  has been found on
Libero's arianna.it, one of the most important Italian Portals
and Search Engines. (arianna.libero.it).

The vulnerability can be found in the "News" section of Libero's
Arianna portal, and the affected functionality an unchecked
parameter named "uc" in "ltrace_news" page/function.

By changing the "uc" parameter it is possible to arbitrarily
redirect a user to any  site the attecher want to use. Affected
payload is:

1) arbitrary redirection for Phishing purpose

The normal URL would be something linked like this:

<http://arianna.libero.it/news/cgi-bin/ltrace_news?id=115&pg=-1
&qi=2000-01-01-00:00:00&li=h&wu=-1&wl=-1&nf=-1&ct=0&nl=-1&ip=X
&rg=7&sq=1&wb=5542388&ml=3&uc=XXX>

where "XXX" is the page to be redirected to.

- - - - - - - ---------------------------------------------------
POC
- - - - - - - ---------------------------------------------------

By changing the parameter it is possible to alter the drop page.
For example:

<http://arianna.libero.it/news/cgi-bin/ltrace_news?id=115&pg=-1
&qi=2000-01-01-00:00:00&li=h&wu=-1&wl=-1&nf=-1&ct=0&nl=-1&ip=X
&rg=7&sq=1&wb=5542388&ml=3&uc=http%3A%2F%2Fwww.matteoflora.com>

will redirect the user to "http://www.matteoflora.com".

A POC url is available (until not deleted or fixed) here:

<http://arianna.libero.it/news/cgi-bin/ltrace_news?id=115&pg=-1
&qi=2000-01-01-00:00:00&li=h&wu=-1&wl=-1&nf=-1&ct=0&nl=-1&ip=X
&rg=7&sq=1&wb=5542388&ml=3&uc=http%3A%2F%2Fwww.matteoflora.com>

- - - - - - - ---------------------------------------------------
SOLUTION
- - - - - - - ---------------------------------------------------

Forcibly checking the parameter value to be an internal page can
easly solve the problem, while the better idea is probably to
use a lookup table or URLs used and passing only an ID.
An IN DEPTH review of the code by an Application Security Expert
is STRONGLY suggested.

- - - - - - - ---------------------------------------------------
CONCLUSION
- - - - - - - ---------------------------------------------------

The impact of this vulnerability is MODERATE for PHISHING and
SCAM pourpose and VERY LOW for system integrity.

Greetings,
MgpF

- - - - - - - ---------------------------------------------------
TIMELINE
- - - - - - - ---------------------------------------------------

Initial Finding   : 2007-04-20
VENDOR DISCLOSURE : 2007-05-30 (management contact)
VENDOR Solving 	  : 2007-06-30
PUBLIC DISCLOSURE : 2007-07-17

- - - - - - --
Matteo G.P. Flora   | mf@...teoflora.com | www.MatteoFlora.com
Sec & Forensics Guy | PGP F3B6BC10       | blog www.LastKnight.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists